Vulnerability Details : CVE-2022-31091
Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
Vulnerability category: Information leak
Products affected by CVE-2022-31091
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31091
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31091
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
3.1
|
4.0
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
3.1
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2022-31091
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31091
-
https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
Change in port should be considered a change in origin · Advisory · guzzle/guzzle · GitHubMitigation;Third Party Advisory
-
https://security.gentoo.org/glsa/202305-24
MediaWiki: Multiple Vulnerabilities (GLSA 202305-24) — Gentoo security
-
https://www.debian.org/security/2022/dsa-5246
Debian -- Security Information -- DSA-5246-1 mediawikiThird Party Advisory
-
https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
Release 7.4.5 (#3043) · guzzle/guzzle@1dd98b0 · GitHubPatch;Third Party Advisory
Jump to